AWS
In love w CloudSec
Configuration
Create a Root and IAM user
IAM user must have a custom password set along with Secret Key and an Access ID generated
Under IAM create a normal user assigned with AdministratorAccess and a misconfigured S3 bucket having public access over it's objects
Meanwhile access the aws-console via awscli
$ aws configure --profile demo-user
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
....
Now the keys will be stored under
.aws/credentials
- To confirm we can query
$ aws iam get-user --profile demo-user
{
"User": {
"Path": "/",
"UserName": "demo-user",
"UserId": "*******************",
"Arn": "arn:aws:iam::***********:user/demo-user",
"CreateDate": "2023-09-18T09:07:45+00:00",
"PasswordLastUsed": "2023-09-18T09:08:21+00:00"
}
}
We can now interact with the misconfigured S3 bucket
$ aws s3 ls --profile demo-user // To list the buckets
2023-09-18 14:41:53 securebucketnxg
$ aws s3 ls s3://securebucketnxg --profile demo-user // List the objs inside the public bucket
2023-09-18 14:42:37 242687 IoT.pdf
$ aws s3 sync s3://securebucketnxg output_dir --profile demo-user // Download objs
So far we've tested or dumped the contents within the IAM user and buckets, what if an unknown user finds a bucket name ? How would he approach it ?
You guessed it, it's actually the same way and he would get the objects within the bucket if its publicly exposed
S3 Bucket - Best Practice
Navigate to
Amazon S3 > Buckets > securebucketnxg > IoT.pdf > Edit access control list

After unchecking
Everyone
Anyone with AWS account
No unknown user can list the objects within the S3 bucket - Best Practice !
$ aws s3 ls s3://securebucketnxg --profile different_user
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
Launch an EC2 Instance
Search for EC2
Generate a Key-Pair - can be accessed via ssh or putty
Launch a simple instance with the default inbound rules (as of now)

$ chmod 400 cashserver.pem
$ ssh -i "cashserver.pem" ec2-user@ec2-13-x-38-x.eu-north-1.compute.amazonaws.com

Last updated